This is a short, down and dirty guide to setting up a site to site VPN in OpenBSD. It is taken straight from a job setup I just completed.
In my work situation, we have two datacenters , one on each side of the country. Each datacenter (dc) setup has two internal networks- the first we call the public network, where traffic to and from the Internet traverse (like HTTP traffic from a website we host to a client on the Internet.) The second network we call the private network, and packets on that network never hit the Internet (so as to provide a secure channel between all the servers inside each network for things like DNS resolution and SQL communication between SQL servers and webservers..) This means each server has two NICs, one for public/Internet communications, and one for private/intranet communications.

We wanted to link each private network at each datacenter to each other so that servers at each DC could talk to each other via their private network interfaces, and we wanted those communications to remain secure (read: encrypted.) Our public firewall gateways had VPN capability, but they were for strict use on the 'public' side of the network. We wanted them to continue to do that without the added fluff of a VPN configuration connecting the private sides of each network. So I dropped an OBSD box into each datacenter (vpnbox1 and vpnbox2), each with two NICs (just like all the other servers, one NIC for public communications and one NIC for private communications.)

Assumptions-
- The vpnboxes are not the default gateways for each respective network to the Internet itself... they are simply being tacked onto the existing network. So 1.1.1.2 and 1.1.1.253 use the router at 1.1.1.1 as it's default gateway, for instance.
- You have another device or layer handling local security on each network... configuring PF on these only clouds the lesson.
- each VPN box has two nics, one for regular connection to the network for default gatewaying (pub), and the other as the entry/exit point for the VPN connection (pri).
- The private networks (pri) are connected to each other via L2 switch (not show in diagram.)